Re: [squid-users] Reverse Proxy, OWA RPCoHTTPS and NTLM authentication passthrough
Abdessamad BARAKAT wrote: Hi people, Nobody for give me a feedback about this feature ( ntlm auth pass through) ? You know as much about this as most here. It don't work. I'm no expert myself but I suspect the reason goes something like this: (wild guess) NTLM is a sub-band authentication in background channels directly between the server and client. Now client thinks the reverse-proxy IS the server so is happy to authenticate with it. Squid is possibly able to pass the login details back to exchange, which required NTLM with the client. Client goes, hang on a minute I wasn't talking to you, and kills the auth. Squid does not have the client-stored secret information to setup a fake NTLM sequence to exchange on behalf of the username/pass it knows. As I said, I'm no expert, but it seems to me that is likely what the issue is. If I'm wrong can someone please indicate why such an old and popular item as NTLM re-auth has not been implemented in _any_ version of Squid yet? Amos Thanks Le 14 juil. 08 à 12:39, Abdessamad BARAKAT a écrit : Hi, I need to reverse proxied a OWA 2007 service and I have some problems with NTLM authentication and the RPC connection. Squid offers a SSL service and connect himself to the OWA with a SSL connection The NTLM authentication was made bu the OWA so I need squid to pass the credentials without modified them. Actually I get only 401 error code but when I switch the authentication to Basic authentication on the Outlook anywhere's settings, It's working. I want really to have the NTLM authentication working for don't ask all users to change their settings. The squid is chrooted. I have tried the following versions: - 3.0 STABLE7 - 2.7STABLE3 - 2.6STABLE21 - 2.6STABLE3 My setup (sometime I need to add acl all or logfile_daemon beetween versions, that's all) : CHROOT chroot /usr/local/squid mime_table /etc/mime.conf icon_directory /share/icons error_directory /share/errors/English unlinkd_program /libexec/unlinkd cache_dir ufs /var/cache 100 16 256 cache_store_log /var/logs/store.log access_log /var/logs/access.log squid pid_filename /var/logs/squid.pid logfile_daemon /libexec/logfile-daemon # Define the required extension methods extension_methods RPC_IN_DATA RPC_OUT_DATA # Publish the RPCoHTTP service via SSL https_port 192.168.1.122:8443 cert=/etc/apache2/ssl/webmail.corporate.com.p em defaultsite=webmail.corporate.com cache_peer 172.16.18.13 parent 443 0 no-query originserver login=PASS ssl sslfl ags=DONT_VERIFY_PEER name=exchangeServer acl all src 0.0.0.0/0.0.0.0 acl EXCH dstdomain .corporate.com cache_peer_access exchangeServer allow EXCH cache_peer_access exchangeServer deny all never_direct allow EXCH # Lock down access to just the Exchange Server! http_access allow EXCH http_access deny all miss_access allow EXCH miss_access deny all #no local caching #maximum_object_size 0 KB #minimum_object_size 0 KB #no_cache deny all #access_log /usr/local/squid/var/logs/access.log squid Thanks a lot for any tips or informations . !DSPAM:487b2e138671238159409! -- Please use Squid 2.7.STABLE3 or 3.0.STABLE7
RE: [squid-users] Reverse Proxy, OWA RPCoHTTPS and NTLM authentication passthrough
Amos, I've never been able to get NTLM pass thru to work with squid, I'm guessing because of the double hop issue. Kerberos, on the other hand, works perfectly once you've set up all the service principle names etc and is also much more secure. If you can get Kerberos working between the client and the OWA server directly, you can slot squid in the middle and the clients won't care. Joe Tiedeman Support Analyst Higher Education Statistics Agency (HESA) 95 Promenade, Cheltenham, Gloucestershire GL50 1HZ T 01242 211167 F 01242 211122 W www.hesa.ac.uk -Original Message- From: Amos Jeffries [mailto:[EMAIL PROTECTED] Sent: Thursday 17 July 2008 11:18 To: Abdessamad BARAKAT Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Reverse Proxy, OWA RPCoHTTPS and NTLM authentication passthrough Abdessamad BARAKAT wrote: Hi people, Nobody for give me a feedback about this feature ( ntlm auth pass through) ? You know as much about this as most here. It don't work. I'm no expert myself but I suspect the reason goes something like this: (wild guess) NTLM is a sub-band authentication in background channels directly between the server and client. Now client thinks the reverse-proxy IS the server so is happy to authenticate with it. Squid is possibly able to pass the login details back to exchange, which required NTLM with the client. Client goes, hang on a minute I wasn't talking to you, and kills the auth. Squid does not have the client-stored secret information to setup a fake NTLM sequence to exchange on behalf of the username/pass it knows. As I said, I'm no expert, but it seems to me that is likely what the issue is. If I'm wrong can someone please indicate why such an old and popular item as NTLM re-auth has not been implemented in _any_ version of Squid yet? Amos Thanks Le 14 juil. 08 à 12:39, Abdessamad BARAKAT a écrit : Hi, I need to reverse proxied a OWA 2007 service and I have some problems with NTLM authentication and the RPC connection. Squid offers a SSL service and connect himself to the OWA with a SSL connection The NTLM authentication was made bu the OWA so I need squid to pass the credentials without modified them. Actually I get only 401 error code but when I switch the authentication to Basic authentication on the Outlook anywhere's settings, It's working. I want really to have the NTLM authentication working for don't ask all users to change their settings. The squid is chrooted. I have tried the following versions: - 3.0 STABLE7 - 2.7STABLE3 - 2.6STABLE21 - 2.6STABLE3 My setup (sometime I need to add acl all or logfile_daemon beetween versions, that's all) : CHROOT chroot /usr/local/squid mime_table /etc/mime.conf icon_directory /share/icons error_directory /share/errors/English unlinkd_program /libexec/unlinkd cache_dir ufs /var/cache 100 16 256 cache_store_log /var/logs/store.log access_log /var/logs/access.log squid pid_filename /var/logs/squid.pid logfile_daemon /libexec/logfile-daemon # Define the required extension methods extension_methods RPC_IN_DATA RPC_OUT_DATA # Publish the RPCoHTTP service via SSL https_port 192.168.1.122:8443 cert=/etc/apache2/ssl/webmail.corporate.com.p em defaultsite=webmail.corporate.com cache_peer 172.16.18.13 parent 443 0 no-query originserver login=PASS ssl sslfl ags=DONT_VERIFY_PEER name=exchangeServer acl all src 0.0.0.0/0.0.0.0 acl EXCH dstdomain .corporate.com cache_peer_access exchangeServer allow EXCH cache_peer_access exchangeServer deny all never_direct allow EXCH # Lock down access to just the Exchange Server! http_access allow EXCH http_access deny all miss_access allow EXCH miss_access deny all #no local caching #maximum_object_size 0 KB #minimum_object_size 0 KB #no_cache deny all #access_log /usr/local/squid/var/logs/access.log squid Thanks a lot for any tips or informations . !DSPAM:487b2e138671238159409! -- Please use Squid 2.7.STABLE3 or 3.0.STABLE7 __ This incoming email was virus scanned for HESA by MessageLabs. __ _ Higher Education Statistics Agency Ltd (HESA) is a company limited by guarantee, registered in England at 95 Promenade Cheltenham GL50 1HZ. Registered No. 2766993. The members are Universities UK and GuildHE. Registered Charity No. 1039709. Certified to ISO 9001 and BS 7799. HESA Services Ltd (HSL) is a wholly owned subsidiary of HESA, registered in England at the same address. Registered No. 3109219. _ This outgoing email was virus scanned for HESA by MessageLabs. _
Re: [squid-users] Reverse Proxy, OWA RPCoHTTPS and NTLM authentication passthrough
Thanks Amos and Joe for your opinion. I will forget the idea to make this working... Thanks again for your feedback. Le 17 juil. 08 à 13:10, Joe Tiedeman a écrit : Amos, I've never been able to get NTLM pass thru to work with squid, I'm guessing because of the double hop issue. Kerberos, on the other hand, works perfectly once you've set up all the service principle names etc and is also much more secure. If you can get Kerberos working between the client and the OWA server directly, you can slot squid in the middle and the clients won't care. Joe Tiedeman Support Analyst Higher Education Statistics Agency (HESA) 95 Promenade, Cheltenham, Gloucestershire GL50 1HZ T 01242 211167 F 01242 211122 W www.hesa.ac.uk -Original Message- From: Amos Jeffries [mailto:[EMAIL PROTECTED] Sent: Thursday 17 July 2008 11:18 To: Abdessamad BARAKAT Cc: squid-users@squid-cache.org Subject: Re: [squid-users] Reverse Proxy, OWA RPCoHTTPS and NTLM authentication passthrough Abdessamad BARAKAT wrote: Hi people, Nobody for give me a feedback about this feature ( ntlm auth pass through) ? You know as much about this as most here. It don't work. I'm no expert myself but I suspect the reason goes something like this: (wild guess) NTLM is a sub-band authentication in background channels directly between the server and client. Now client thinks the reverse-proxy IS the server so is happy to authenticate with it. Squid is possibly able to pass the login details back to exchange, which required NTLM with the client. Client goes, hang on a minute I wasn't talking to you, and kills the auth. Squid does not have the client-stored secret information to setup a fake NTLM sequence to exchange on behalf of the username/pass it knows. As I said, I'm no expert, but it seems to me that is likely what the issue is. If I'm wrong can someone please indicate why such an old and popular item as NTLM re-auth has not been implemented in _any_ version of Squid yet? Amos Thanks Le 14 juil. 08 à 12:39, Abdessamad BARAKAT a écrit : Hi, I need to reverse proxied a OWA 2007 service and I have some problems with NTLM authentication and the RPC connection. Squid offers a SSL service and connect himself to the OWA with a SSL connection The NTLM authentication was made bu the OWA so I need squid to pass the credentials without modified them. Actually I get only 401 error code but when I switch the authentication to Basic authentication on the Outlook anywhere's settings, It's working. I want really to have the NTLM authentication working for don't ask all users to change their settings. The squid is chrooted. I have tried the following versions: - 3.0 STABLE7 - 2.7STABLE3 - 2.6STABLE21 - 2.6STABLE3 My setup (sometime I need to add acl all or logfile_daemon beetween versions, that's all) : CHROOT chroot /usr/local/squid mime_table /etc/mime.conf icon_directory /share/icons error_directory /share/errors/English unlinkd_program /libexec/unlinkd cache_dir ufs /var/cache 100 16 256 cache_store_log /var/logs/store.log access_log /var/logs/access.log squid pid_filename /var/logs/squid.pid logfile_daemon /libexec/logfile-daemon # Define the required extension methods extension_methods RPC_IN_DATA RPC_OUT_DATA # Publish the RPCoHTTP service via SSL https_port 192..168.1.122:8443 cert=/etc/apache2/ssl/webmail.corporate.com.p em defaultsite=webmail.corporate.com cache_peer 172.16.18.13 parent 443 0 no-query originserver login=PASS ssl sslfl ags=DONT_VERIFY_PEER name=exchangeServer acl all src 0.0.0.0/0.0.0.0 acl EXCH dstdomain .corporate.com cache_peer_access exchangeServer allow EXCH cache_peer_access exchangeServer deny all never_direct allow EXCH # Lock down access to just the Exchange Server! http_access allow EXCH http_access deny all miss_access allow EXCH miss_access deny all #no local caching #maximum_object_size 0 KB #minimum_object_size 0 KB #no_cache deny all #access_log /usr/local/squid/var/logs/access.log squid Thanks a lot for any tips or informations . -- Please use Squid 2.7.STABLE3 or 3.0.STABLE7 __ This incoming email was virus scanned for HESA by MessageLabs. __ _ Higher Education Statistics Agency Ltd (HESA) is a company limited by guarantee, registered in England at 95 Promenade Cheltenham GL50 1HZ. Registered No. 2766993. The members are Universities UK and GuildHE. Registered Charity No. 1039709. Certified to ISO 9001 and BS 7799. HESA Services Ltd (HSL) is a wholly owned subsidiary of HESA, registered in England at the same address. Registered No. 3109219. _ This outgoing email was virus scanned for HESA by MessageLabs
Re: [squid-users] Reverse Proxy, OWA RPCoHTTPS and NTLM authentication passthrough
Hi people, Nobody for give me a feedback about this feature ( ntlm auth pass through) ? Thanks Le 14 juil. 08 à 12:39, Abdessamad BARAKAT a écrit : Hi, I need to reverse proxied a OWA 2007 service and I have some problems with NTLM authentication and the RPC connection. Squid offers a SSL service and connect himself to the OWA with a SSL connection The NTLM authentication was made bu the OWA so I need squid to pass the credentials without modified them. Actually I get only 401 error code but when I switch the authentication to Basic authentication on the Outlook anywhere's settings, It's working. I want really to have the NTLM authentication working for don't ask all users to change their settings. The squid is chrooted. I have tried the following versions: - 3.0 STABLE7 - 2.7STABLE3 - 2.6STABLE21 - 2.6STABLE3 My setup (sometime I need to add acl all or logfile_daemon beetween versions, that's all) : CHROOT chroot /usr/local/squid mime_table /etc/mime.conf icon_directory /share/icons error_directory /share/errors/English unlinkd_program /libexec/unlinkd cache_dir ufs /var/cache 100 16 256 cache_store_log /var/logs/store.log access_log /var/logs/access.log squid pid_filename /var/logs/squid.pid logfile_daemon /libexec/logfile-daemon # Define the required extension methods extension_methods RPC_IN_DATA RPC_OUT_DATA # Publish the RPCoHTTP service via SSL https_port 192.168.1.122:8443 cert=/etc/apache2/ssl/ webmail.corporate.com.p em defaultsite=webmail.corporate.com cache_peer 172.16.18.13 parent 443 0 no-query originserver login=PASS ssl sslfl ags=DONT_VERIFY_PEER name=exchangeServer acl all src 0.0.0.0/0.0.0.0 acl EXCH dstdomain .corporate.com cache_peer_access exchangeServer allow EXCH cache_peer_access exchangeServer deny all never_direct allow EXCH # Lock down access to just the Exchange Server! http_access allow EXCH http_access deny all miss_access allow EXCH miss_access deny all #no local caching #maximum_object_size 0 KB #minimum_object_size 0 KB #no_cache deny all #access_log /usr/local/squid/var/logs/access.log squid Thanks a lot for any tips or informations . !DSPAM:487b2e138671238159409!
[squid-users] Reverse Proxy, OWA RPCoHTTPS and NTLM authentication passthrough
Hi, I need to reverse proxied a OWA 2007 service and I have some problems with NTLM authentication and the RPC connection. Squid offers a SSL service and connect himself to the OWA with a SSL connection The NTLM authentication was made bu the OWA so I need squid to pass the credentials without modified them. Actually I get only 401 error code but when I switch the authentication to Basic authentication on the Outlook anywhere's settings, It's working. I want really to have the NTLM authentication working for don't ask all users to change their settings. The squid is chrooted. I have tried the following versions: - 3.0 STABLE7 - 2.7STABLE3 - 2.6STABLE21 - 2.6STABLE3 My setup (sometime I need to add acl all or logfile_daemon beetween versions, that's all) : CHROOT chroot /usr/local/squid mime_table /etc/mime.conf icon_directory /share/icons error_directory /share/errors/English unlinkd_program /libexec/unlinkd cache_dir ufs /var/cache 100 16 256 cache_store_log /var/logs/store.log access_log /var/logs/access.log squid pid_filename /var/logs/squid.pid logfile_daemon /libexec/logfile-daemon # Define the required extension methods extension_methods RPC_IN_DATA RPC_OUT_DATA # Publish the RPCoHTTP service via SSL https_port 192.168.1.122:8443 cert=/etc/apache2/ssl/ webmail.corporate.com.p em defaultsite=webmail.corporate.com cache_peer 172.16.18.13 parent 443 0 no-query originserver login=PASS ssl sslfl ags=DONT_VERIFY_PEER name=exchangeServer acl all src 0.0.0.0/0.0.0.0 acl EXCH dstdomain .corporate.com cache_peer_access exchangeServer allow EXCH cache_peer_access exchangeServer deny all never_direct allow EXCH # Lock down access to just the Exchange Server! http_access allow EXCH http_access deny all miss_access allow EXCH miss_access deny all #no local caching #maximum_object_size 0 KB #minimum_object_size 0 KB #no_cache deny all #access_log /usr/local/squid/var/logs/access.log squid Thanks a lot for any tips or informations .
Re: [squid-users] Reverse Proxy, OWA RPCoHTTPS and NTLM
On tor, 2008-07-03 at 07:28 +0200, Abdessamad BARAKAT wrote: Hi, I try to setup squid as ssl reverse proxy for publishing OWA services (webmail, rpc/http and activesync), now the publish is made by a ISA server and I want to replace this ISA Server. the flow: Internet = Firewall(NAT) = Squid Reverse Proxy on DMZ( https port 8443) = Firewall(8443 open) = Exchange Server (NLB IP on https port 443) This will generally only work if the NAT port translates external port 443 to 8443 on the proxy. OWA will not work if the external requested port differs from the port where OWA is running on the exchange server. I can get webmail working well, not yet tested activesync but the use of RPC over HTTP doesn't work, I get a 401 error code when I try to logon with outlook: Have you told Squid to trust the web server with logon credentials? See the cache_peer login= option.. Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] Reverse Proxy, OWA RPCoHTTPS and NTLM
On tor, 2008-07-03 at 12:35 +0200, Abdessamad BARAKAT wrote: I have tried login=PASS without succes. If I have understand correctly, the credentials are sent to the backend server without any modifications Yes. Finally, If I set Basic authentication on the outlook client, it's working Which Squid version? Regards Henrik signature.asc Description: This is a digitally signed message part
Re: [squid-users] Reverse Proxy, OWA RPCoHTTPS and NTLM
On tor, 2008-07-03 at 14:02 +0200, Abdessamad BARAKAT wrote: Le 3 juil. 08 à 12:46, Henrik Nordstrom a écrit : On tor, 2008-07-03 at 12:35 +0200, Abdessamad BARAKAT wrote: I have tried login=PASS without succes. If I have understand correctly, the credentials are sent to the backend server without any modifications Yes. Finally, If I set Basic authentication on the outlook client, it's working Which Squid version? 3.0STABLE7 Then downgrade to 2.7. NTLM passthru is not supported in Squid-3 ye, but is supported in Squid-2.6 and later Squid-2 versions.. We hope to have the needed workarounds for Microsofts bending of the HTTP protocol in place for Squid-3.1, but no guarantee. Regards Henrik signature.asc Description: This is a digitally signed message part
[squid-users] Reverse Proxy, OWA RPCoHTTPS and NTLM
Hi, I try to setup squid as ssl reverse proxy for publishing OWA services (webmail, rpc/http and activesync), now the publish is made by a ISA server and I want to replace this ISA Server. the flow: Internet = Firewall(NAT) = Squid Reverse Proxy on DMZ( https port 8443) = Firewall(8443 open) = Exchange Server (NLB IP on https port 443) I can get webmail working well, not yet tested activesync but the use of RPC over HTTP doesn't work, I get a 401 error code when I try to logon with outlook : squid access log: 1215017068.440253 193.251.14.120 TCP_MISS/401 482 RPC_IN_DATA https://webmail.company.com:8443/rpc/rpcproxy.dll?exchange:6001 - FIRST_UP_PARENT/exchangeServer text/html 1215017080.291 96 193.251.14.120 TCP_MISS/401 482 RPC_IN_DATA https://webmail.company.com:8443/rpc/rpcproxy.dll?exchange:6001 - FIRST_UP_PARENT/exchangeServer text/html 1215017080.537 85 193.251.14.120 TCP_MISS/401 482 RPC_OUT_DATA https://webmail.company.com:8443/rpc/rpcproxy.dll?exchange:6001 - FIRST_UP_PARENT/exchangeServer text/html IIS log: 2008-07-02 13:30:49 W3SVC1 172.16.18.136 RPC_OUT_DATA /rpc/rpcproxy.dll exchange:6001 443 - 172.16.18.128 MSRPC 401 1 0 2008-07-02 13:31:28 W3SVC1 172.16.18.136 RPC_IN_DATA /rpc/rpcproxy.dll exchange:6001 443 - 172.16.18.128 MSRPC 401 1 0 2008-07-02 13:31:34 W3SVC1 172.16.18.136 RPC_OUT_DATA /rpc/rpcproxy.dll exchange:6001 443 - 172.16.18.128 MSRPC 401 1 0 The IIS RPC service is configured to use Windows Integrated Authentication so I think maybe I need to setup some NTLM auth settings for fix this problem. The GC and DC are on the same LAN of the exchange server, no firewall issues with rpc ports(6001, 6002 and 6004). I have tried with the versions 3.0STABLE7 ans 2.7STABLE3. If someone has some ideas and solutions for resolve this issue. Thanks a lot squid.conf: # Define the required extension methods extension_methods RPC_IN_DATA RPC_OUT_DATA # Publish the RPCoHTTP service via SSL https_port squid_ip:8443 cert=/etc/apache2/ssl/cert.pem defaultsite=webmail.toto.com cache_peer exchange_ip parent 443 0 no-query originserver front-end-https=auto ssl sslflags=DONT_VERIFY_PEER name=exchangeServer acl EXCH dstdomain .toto.com acl all src 0.0.0.0/0.0.0.0 no_cache deny all #no local caching maximum_object_size 0 KB minimum_object_size 0 KB access_log /usr/local/squid/var/logs/access.log squid cache_peer_access exchangeServer allow EXCH cache_peer_access exchangeServer deny all never_direct allow EXCH # Lock down access to just the Exchange Server! http_access allow EXCH http_access deny all miss_access allow EXCH miss_access deny all